Google researchers have detailed a sophisticated hacking operation that exploited vulnerabilities in Chrome and Windows to install malware on Android and Windows devices.
Some of the exploits were zero-day, which means that they targeted vulnerabilities that at the time were unknown to Google, Microsoft and most external researchers. (Both companies have since fixed security holes.) Hackers delivered exploits through watering hole attacks, which compromise sites frequented by targets of interest and secure them with code that installs malware on visitors’ devices. The trapped sites used two exploration servers, one for Windows users and one for Android users.
The use of zero-day exploits and complex infrastructure is not in itself a sign of sophistication, but it shows above average skill of a professional hacking team. Combined with the robustness of the attack code – which efficiently linked multiple exploits – the campaign demonstrates that it was carried out by a “highly sophisticated actor”.
“These exploration chains are designed for efficiency and flexibility through their modularity,” wrote a researcher on Google’s Project Zero research team. “They are well-designed and complex codes with a variety of new scanning methods, mature profiling, sophisticated and calculated post-scanning techniques and high volumes of anti-analysis and targeting checks. We believe that teams of experts designed and developed these exploration chains. “
The modularity of the payloads, the interchangeable exploitation chains and the logging, the targeting and the maturity of the operation also differentiate the campaign, said the researcher.
The four zero days explored were:
- CVE-2020-6418 – TurboFan Chrome Vulnerability (fixed in February 2020)
- CVE-2020-0938 – Windows font vulnerability (fixed April 2020)
- CVE-2020-1020 – Windows font vulnerability (fixed April 2020)
- CVE-2020-1027 – Windows CSRSS Vulnerability (fixed in April 2020)
Attackers obtained remote code execution by exploiting Chrome’s zero day and several recently fixed Chrome vulnerabilities. Zero days were used against Windows users. None of the attack chains targeting Android devices exploited on day zero, but Project Zero researchers said attackers are likely to have Android day zero at their disposal.
In all, Project Zero published six chapters detailing the explorations and post-exploration payloads that the researchers found. Other parts describe an infinite Chrome bug, Chrome exploits, Android exploits, post-Android exploit payloads and Windows exploits.
The series is intended to help the security community at large to more effectively combat complex malware operations. “We hope that this series of blog posts will provide others with an in-depth look at the exploitation of a real-world actor, mature and presumably well-resourced,” wrote the Project Zero researchers.
This story originally appeared in Ars Technica, a trusted source for technology news, technology policy reviews, analytics, and more.
More great stories from WIRED